How to assign an Azure Managed Identity as the owner of a Microsoft Entra ID Application Registration

Assigning a user principal as the owner of a Microsoft Entra ID app registration and/or service principal is straightforward and the Azure Portal makes this easy.

However, assigning a service principal (or the managed identity that is represented by a service principal) is not as straightforward and cannot currently be done in the Azure portal.

Therefore, we must use the Azure CLI or PowerShell. We will need 2 pieces of data to assign ownership

  1. The unique identifier of the managed identity service principal
  2. The unique identifier of the app registration

Get the unique identifier of the managed identity service principal

In Azure CLI, first we need to get the ID of the service principal that is represented by a managed identity.

az identity show --resource-group rg-semantic-kernel-sleeping-bag --name id-api-okacpwqbbwxx4 --query "principalId"

"5ef95142-6e5c-4682-b4c9-4329c5278647"

This returns the unique identifier of the service principal of the managed identity (note that we could also get this value from the Azure Portal, in the Microsoft Entra ID blade->Enterprise Applications)

Get the unique identifier of the app registration

Now that we have this GUID, we can search for the unique identifier of the app registration we want to assign as the owner.

az ad app list --display-name "dapr-trafficcontrol" --query "[].id"

[
  "08fd5056-b98f-4a37-a5ef-44433f822018"
]

Note that this may not be the best way to search for app registrations as the names are not guaranteed to be unique in a given tenant. You may have to add more query parameters to find the correct app registration. You can also get this value from the Azure Portal, in the Microsoft Entra ID blade->App Registrations.

Also note that this is not the application id (client id). While this value is also unique, it isn’t the correct GUID for uniquely identifying an app registration in a tenant for the purpose of assigning ownership.

Assign ownership of the app registration to the managed identity service principal

Now that we have both GUIDs, we can run the Azure CLI command to assign ownership over the app registration programmatically.

az ad app owner add --id 08fd5056-b98f-4a37-a5ef-44433f822018 --owner-object-id 5ef95142-6e5c-4682-b4c9-4329c5278647

If we look in the app registration Owner blade, we should see the managed identity ownership.

This same method will also work for assigning ownership over service principals.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *